Merge remote-tracking branch 'upstream/master' into zope4py3

642bad45 · Jérome Perrin · 24558646 · 568cdc71 · 642bad45 · 642bad45
Commit 642bad45 authored Aug 17, 2023 by Jérome Perrin
7 changed files
--- a/component/avahi/buildout.cfg
+++ b/component/avahi/buildout.cfg
@@ -30,6 +30,6 @@ configure-options =
  --with-systemdsystemunitdir=no
 environment =
  PATH=${pkgconfig:location}/bin:${glib:location}/bin:%(PATH)s
-  CFLAGS=-I${gdbm:location}/include
-  LDFLAGS=-L${gettext:location}/lib -Wl,-rpath=${gettext:location}/lib -L${zlib:location}/lib -Wl,-rpath=${zlib:location}/lib -L${glib:location}/lib -Wl,-rpath=${glib:location}/lib -L${gdbm:location}/lib -Wl,-rpath=${gdbm:location}/lib
-  PKG_CONFIG_PATH=${glib:location}/lib/pkgconfig:${pcre:location}/lib/pkgconfig:${dbus:location}/lib/pkgconfig
+  CFLAGS=-I${gdbm:location}/include -I${libexpat:location}/include
+  LDFLAGS=-L${gettext:location}/lib -Wl,-rpath=${gettext:location}/lib -L${zlib:location}/lib -Wl,-rpath=${zlib:location}/lib -L${glib:location}/lib -Wl,-rpath=${glib:location}/lib -L${gdbm:location}/lib -Wl,-rpath=${gdbm:location}/lib -L${libexpat:location}/lib -Wl,-rpath=${libexpat:location}/lib
+  PKG_CONFIG_PATH=${glib:location}/lib/pkgconfig:${pcre:location}/lib/pkgconfig:${dbus:location}/lib/pkgconfig:${libexpat:location}/lib/pkgconfig
--- a/component/binutils/buildout.cfg
+++ b/component/binutils/buildout.cfg
@@ -42,8 +42,8 @@ environment =
 [binutils]
 recipe = slapos.recipe.cmmi
 shared = true
-url = http://ftp.gnu.org/gnu/binutils/binutils-2.32.tar.bz2
-md5sum = 64f8ea283e571200f8b2b7f66fe8a0d6
+url = http://ftp.gnu.org/gnu/binutils/binutils-2.41.tar.bz2
+md5sum = b572fd7ea427a8f5a3be58d50bd7ea7e
 configure-options =
  --disable-bootstrap
  --with-mpc=${mpc:location}

--- a/software/dufs/test/test.py
+++ b/software/dufs/test/test.py
@@ -131,14 +131,14 @@ class TestFileServer(SlapOSInstanceTestCase):
          return cnx.sock._sslobj.getpeercert()

    cert_before = _getpeercert()
-    # execute certificate updater two month later, when it's time to renew certificate.
+    # execute certificate updater when it's time to renew certificate.
    # use a timeout, because this service runs forever
    subprocess.run(
      (
        'timeout',
        '5',
        'faketime',
-        '+2 months',
+        '+63 days',
        os.path.join(
          self.computer_partition_root_path,
          'etc/service/dufs-certificate-updater'),

--- a/software/metabase/buildout.hash.cfg
+++ b/software/metabase/buildout.hash.cfg
 [instance-profile]
 filename = instance.cfg.in
-md5sum = 685e7b371768f6977896d7214fd379f1
+md5sum = 0d50ed911a41b76b952b63d37853c3a4
--- a/software/metabase/instance.cfg.in
+++ b/software/metabase/instance.cfg.in
@@ -44,11 +44,7 @@ command-line = sh -c "cd $${directory:srv-metabase}; ${java:location}/bin/java $
 environment =
  MB_EMOJI_IN_LOGS=false
  MB_JETTY_HOST=$${:ip}
-  MB_JETTY_PORT=$${:-http-port}
-  MB_JETTY_SSL_PORT=$${:port}
-  MB_JETTY_SSL=true
-  MB_JETTY_SSL_KEYSTORE=$${metabase-keystore:file}
-  MB_JETTY_SSL_KEYSTORE_PASSWORD=$${metabase-keystore:password}
+  MB_JETTY_PORT=$${:port}
  MB_DB_TYPE=postgres
  MB_DB_DBNAME=$${postgresql:dbname}
  MB_DB_PORT=$${postgresql:port}
@@ -62,68 +58,57 @@ environment =
 hash-existing-files =
  $${buildout:directory}/software_release/buildout.cfg

-ip = $${instance-parameter:ipv6-random}
-port = 8443
-# XXX It does not seem we can prevent metabase to also listen on http, so we
-# give it an http port, but don't use it.
-http-port = 18080
-hostname = [$${:ip}]
-scheme = https
-url = $${:scheme}://$${:hostname}:$${:port}
+ip = $${instance-parameter:ipv4-random}
+port = 18080
 promises =
  $${metabase-promise:name}

-[metabase-promise]
-<= monitor-promise-base
-promise = check_url_available
-name = $${:_buildout_section_name_}.py
-config-url= $${metabase-instance:url}/api/session/properties
-
-[metabase-keystore-password]
-recipe = slapos.cookbook:generate.password
-
-[metabase-keystore]
+[metabase-frontend-certificate]
 recipe = plone.recipe.command
-stop-on-error = true
 command =
-  if [ -f $${:file} ]
-  then
-    # XXX password used to be "insecure", but we changed to proper password.
-    # We try to list the store with the new password and if it fail we change
-    # the keystore password.
-    if ! ${java:location}/bin/keytool \
-      -list \
-      -keystore "$${:file}" \
-      -storepass "$${:password}"
+  if [ ! -e $${:cert-file} ]
  then
-      echo "Migrating keystore password" && \
-      ${java:location}/bin/keytool \
-        -storepasswd \
-        -keystore "$${:file}" \
-        -storepass insecure \
-        -new "$${:password}" && \
-      echo "Migrating certificate key password" && \
-      ${java:location}/bin/keytool \
-        -keypasswd \
-        -alias "$${:alias}" \
-        -keypass insecure \
-        -new "$${:password}" \
-        -keystore "$${:file}" \
-        -storepass "$${:password}"
+    ${openssl-output:openssl} req -x509 -nodes -days 3650 \
+      -subj "/C=AA/ST=X/L=X/O=Dis/CN=$${:common-name}" \
+      -newkey rsa -keyout $${:cert-file} \
+      -out $${:cert-file}
  fi
-  else
-    ${java:location}/bin/keytool \
-      -genkeypair \
-      -alias "$${:alias}" \
-      -keyalg RSA \
-      -keypass "$${:password}" \
-      -dname "CN=$${metabase-instance:ip},OU=Unit,O=Organization,L=City,S=State,C=Country" \
-      -keystore "$${:file}" \
-      -storepass "$${:password}"
-  fi
-file = $${directory:etc}/.metabase_keystore
-password = $${metabase-keystore-password:passwd}
-alias = metabase
+update-command = $${:command}
+cert-file = $${directory:var}/$${:_buildout_section_name_}.pem
+common-name = $${metabase-frontend-config:ip}
+location =
+  $${:cert-file}
+
+[metabase-frontend-config]
+recipe = slapos.recipe.template:jinja2
+url = ${stack-haproxy-default-backend-config:target}
+output = $${directory:etc}/$${:_buildout_section_name_}
+context =
+  key pidfile :pidfile
+  key content :content
+content =
+  listen app
+  log global
+  bind $${:ip}:$${:port} ssl crt $${metabase-frontend-certificate:cert-file} alpn h2,http/1.1
+  server app $${metabase-instance:ip}:$${metabase-instance:port}
+
+pidfile = $${directory:run}/$${:_buildout_section_name_}.pid
+ip = $${instance-parameter:ipv6-random}
+port = 8443
+
+[metabase-frontend]
+recipe = slapos.cookbook:wrapper
+wrapper-path = $${directory:services}/$${:_buildout_section_name_}
+command-line =
+  ${haproxy:location}/sbin/haproxy -f $${metabase-frontend-config:output}
+
+url = https://[$${metabase-frontend-config:ip}]:$${metabase-frontend-config:port}
+
+[metabase-promise]
+<= monitor-promise-base
+promise = check_url_available
+name = $${:_buildout_section_name_}.py
+config-url= $${metabase-frontend:url}/api/session/properties

 [postgresql-password]
 recipe = slapos.cookbook:generate.password
@@ -247,6 +232,7 @@ var-cron-entries = $${:var}/cron-entries
 srv = $${buildout:directory}/srv
 bin = $${buildout:directory}/bin
 tmp = $${buildout:directory}/tmp
+run = $${buildout:directory}/run
 service = $${:etc}/service
 srv-metabase = $${:srv}/metabase
 srv-backup = $${:srv}/backup
@@ -254,6 +240,6 @@ fontconfig-cache = $${buildout:directory}/.fontconfig

 [publish-connection-parameter]
 recipe = slapos.cookbook:publish
-url = $${metabase-instance:url}
+url = $${metabase-frontend:url}
 backup-crontab = $${postgresql-backup-crontab-entry:name}
 restore-backup-script = $${postgresql-restore-backup:wrapper-path}
--- a/software/metabase/software.cfg
+++ b/software/metabase/software.cfg
@@ -6,6 +6,7 @@ extends =
    ../../component/java/buildout.cfg
    ../../component/postgresql/buildout.cfg
    ../../component/dcron/buildout.cfg
+    ../../stack/haproxy/default-backend.cfg
    ../../stack/slapos.cfg
    buildout.hash.cfg
    ../../stack/monitor/buildout.cfg
@@ -19,8 +20,8 @@ parts =

 [metabase.jar]
 recipe = slapos.recipe.build:download
-url = https://downloads.metabase.com/v0.45.2/metabase.jar
-md5sum = cca1f4d663ebfa60b3a6d93705b340a0
+url = https://downloads.metabase.com/v0.47.0/metabase.jar
+md5sum = b81c71668a2177d89690730fabd85d9e

 [instance-profile]
 recipe = slapos.recipe.template

--- a/software/restic-rest-server/test/test.py
+++ b/software/restic-rest-server/test/test.py
@@ -158,14 +158,14 @@ class TestResticRestServer(SlapOSInstanceTestCase):
          return cnx.sock._sslobj.getpeercert()

    cert_before = _getpeercert()
-    # execute certificate updater two month later, when it's time to renew certificate.
+    # execute certificate updater when it's time to renew certificate.
    # use a timeout, because this service runs forever
    subprocess.run(
      (
        'timeout',
        '5',
        'faketime',
-        '+2 months',
+        '+63 days',
        os.path.join(
          self.computer_partition_root_path,
          'etc/service/rest-server-certificate-updater'),